SAML 2.0 Multiple AuthnStatements
If I interpret the SAML 2.0-protocol correctly you can have multiple AuthnStatements. What is the purpose of this? I cannot see a use case of having multiple AuthnStatements really.
Category Archives: saml
Authentication SSO token security – SAML, OpenID Connect
I am trying to understand how works various SSO technologies like SAML 2.0, OpenID Connect 1.0.
In general, they work in a similar way providing tokens (XML, JSON) through Identity Provider to Service Provider.
What I don’t fully underst… Continue reading Authentication SSO token security – SAML, OpenID Connect
Where should a keystore (.jks) be stored in a repository
I’ve got a question about the best practice in storing a Keystore file (.jks) in source control. This Keystore is called by a stand-alone Java component that retrieves a private key for the purpose of signing SAML assertions.
For security… Continue reading Where should a keystore (.jks) be stored in a repository
OAuth & SAML integration or better approach
Could anyone explain what would be the best approach for this scenario?:
There are 2 separate Service Providers:
System A is a server that works as a rest API for a mobile application.
System B is a website which login is… Continue reading OAuth & SAML integration or better approach
JSON Web Tokens vs. SAML
I don’t know too much about security. Specifically, I don’t understand the difference between JSON Web Tokens, SAML and OAuth 2. If you could provide some pointers and high level overview of their functions it would help me l… Continue reading JSON Web Tokens vs. SAML
JSON Web Tokens vs. SAML
I don’t know too much about security. Specifically, I don’t understand the difference between JSON Web Tokens, SAML and OAuth 2. If you could provide some pointers and high level overview of their functions it would help me l… Continue reading JSON Web Tokens vs. SAML
SAML Without Session
Is there a way to implement SAML-based authentication to an IdP where the client keeps the session information? The idea is that a load-balanced server farm for the SP would be able to remain completely state-less and not have to build a s… Continue reading SAML Without Session
SAML 2.0 IdP metadata security
Identity Providers (IdP) often provide a metadata file that is used when setting up SAML. This file needs to be entered into a Service Provider (SP). Do we need to keep this metadata file private and secure? Or is the informa… Continue reading SAML 2.0 IdP metadata security
Authenticate WCF call to ADFS through Web Application Proxy (WAP)
Currently we authenticate WCF calls TO a service via ADFS, using the following procedure:
Firstly, we get a SAML token from ADFS
using (var factory = new WSTrustChannelFactory(
new UserNameWSTrustBinding(System.ServiceMo… Continue reading Authenticate WCF call to ADFS through Web Application Proxy (WAP)
How is SAML solving the cross domain single sign-on problem?
Let’s say I have two websites that live on separate domains, and their service providers both talk to the same identity provider on a third domain. I log into the first website and authenticate, and now I decide to visit the … Continue reading How is SAML solving the cross domain single sign-on problem?